The BlueNoroff APT group, affiliated with the Lazarus threat actor, has conducted two coordinated campaigns named GhostCall and GhostHire targeting the cryptocurrency industry. GhostCall primarily targets executives using macOS devices, leveraging sophisticated social engineering tactics such as impersonation of investors—including stolen identities and fragments of real video calls—to arrange meetings. Victims are directed to fake Microsoft Teams or Zoom websites that prompt them to download malicious files under the guise of client updates or technical fixes. These files install malware designed to steal cryptocurrency wallets, credentials, and sensitive corporate information. GhostHire targets blockchain developers by offering fraudulent job opportunities with attractive terms. Victims interact with a Telegram bot that provides a GitHub link or archive containing a test task with a tight deadline. While performing the task, the victim’s system becomes infected with malware. Both campaigns share a common command-and-control infrastructure, indicating coordinated operations. The malware and infection chains are sophisticated, with at least seven distinct infection vectors identified in GhostCall alone, including previously unseen methods. Although no public exploits are known, the campaigns demonstrate a high level of preparation and targeting, focusing on individuals with access to valuable crypto assets and corporate secrets. The attacks exploit social engineering and trust in communication platforms, emphasizing the need for vigilance among executives and developers. The campaigns highlight the evolving tactics of financially motivated APT groups targeting the blockchain sector.

European organizations involved in cryptocurrency and blockchain development are at significant risk from these campaigns. Successful infections can lead to theft of cryptocurrency assets, exposure of sensitive credentials, and compromise of proprietary blockchain development secrets, potentially resulting in financial losses and reputational damage. Executives using macOS devices are particularly targeted, which may impact leadership decision-making and corporate governance if their communications or credentials are compromised. Developers infected via GhostHire risk exposing source code and internal tools, which could facilitate further attacks or intellectual property theft. The campaigns' reliance on social engineering and fake communication platforms increases the risk of widespread compromise within targeted organizations. Given the financial motivation and targeted nature, affected companies may face regulatory scrutiny under GDPR if personal data is compromised. The attacks could also disrupt ongoing blockchain projects and partnerships, undermining trust in European crypto enterprises. Overall, the campaigns pose a medium to high operational and financial threat to European crypto industry stakeholders.

European organizations should implement targeted security awareness programs that specifically address the tactics used in GhostCall and GhostHire, including training executives and developers to recognize sophisticated social engineering, fake video calls, and fraudulent job offers. Deploy advanced endpoint protection solutions with behavioral detection capabilities on all corporate devices, especially macOS systems used by executives. Enforce strict policies restricting installation of software from unverified sources and mandate multi-factor authentication for all remote collaboration tools. Monitor network traffic for connections to known command-and-control servers associated with BlueNoroff. Use threat intelligence feeds to update detection rules and indicators of compromise related to these campaigns. Encourage developers to verify job offers and test tasks through official company channels and avoid using third-party messaging apps like Telegram for recruitment processes. Conduct regular phishing simulation exercises tailored to the crypto industry context. Implement network segmentation to limit lateral movement if a device is compromised. Finally, maintain incident response plans that include procedures for handling targeted APT intrusions and cryptocurrency theft scenarios.